> It _is_ a 16 bit ID space, and that is not fixable inside the strict > DNS protocol, but that still leaves us room to do the best job with > what we have, rather than do nothing at all. Some people appear to be > on the edge of arguing that we do nothing. I have to agree with Theo on this. It doesn't help a lot in theory, but it helps quite a bit in practice. Note that in spoofing responses one does typically have timing issues involved which makes it tougher than just guessing one of 65536 values alone. On another note, why is it that everyone arguing the all-or-nothing case likes to ignore the other very-usable-now mitigation of randomizing source ports? I don't use BIND and I don't care to check it's current behavior, but has the ISC finally gotten around to randomizing the source ports? If not, why not? The extra few bits of entropy can go a long way, particularly if a good PRNG is used. tim
